Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Number of hosts each day?

0

I'm looking for a count of the number of hosts each day that have sent events to splunk. I know another department spun up a VERY large number of servers in the last few days and I just don't know how many or which department until I can identify the servers.

My hope is to get the list of hosts in the last 24 hours and get a list for last week, and compare (diff) the 2 lists.

The follow shows the same number of hosts whether it is over 15 minutes or 24 hours on any given day. The number of hosts is always the same. | metadata type=hosts | table hostor| metadata type=hosts | stats count by host

The following doesn't show enough servers. We have much more sending to splunk then what this outputs.index=_internal per_host_thruput | timechart span=1d dc(series) as hosts

People who like this

Are the hosts visible on the summary page? Are they at least showing up in splunk? These new hosts that were spun up, were they set up with inputs and to forward data to the splunk indexer? If they haven't sent any data to an indexer they won't show up as a host at all.

Summery page: No, only 10 show up, I have thousands of servers10 to 100 servers could be spun up at any time. They use an image so when they come online they use existing predefined inputs and sourcetypes. When there is a spike in my license usage it is typically a host or cluster spamming splunk (ie debug is turned or there is a serious problem across a cluster and massive errors are logged). Since there is no abnormality in the events being sent to splunk and I know we are turning up servers within the company, I need to get a handle on this so I know when we will max out our license.

Is there any way to check one of these hosts that should be showing up in splunk? Is it forwarding to the right indexer in outputs.conf? Are there any errors in splunkd.log? Are you searching last 24 hours I supposed when looking for hosts?

1 Answer

The | metadata command will only ever give you the current stats, so it wont do you any good as far as comparing today's hosts with last week's host.

and the _internal metrics data technically only lists stats from hosts that are significant contributors. So if there are a lot of hosts that are contributing relatively little, they wont show up there at all.

The answer may be to just spin up a search that searches every event.

If you run this search over a given time period:

* | fields host | stats count by host | sort host

it will give you an exhaustive list of all of the hosts in that period.

If you run this search:

* | fields host | timechart dc(host)

that will give you a graph of the number of distinct hosts over time, which might be useful.

And if you want to try doing the whole diff of this weeks hosts versus the hosts from a week ago, here are some searches that can do that:

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.